Wednesday, August 13, 2008


CAIRO: While the boundaries of Gaza and Kashmir garner far more headlines, a less tangible set of borders are proving to be almost equally vital to state security: those that govern the sprawling fields of data on the internet.  

Under a set of global security standards known as ISO 27001, nearly 90 percent of Egyptian state information systems are not secure, said Hassan El Meligy, director of assistance and automation as Megacom, an 11-year-old information technology consulting firm. In most cases, nearly half of the standards on the list are unmet, he said.

Megacom works with a range of banks, manufacturers, small businesses and state agencies here, and often insists on using international standards to figure out how protected their clients are. “Because we are connected globally, anyone can steal information,” El Meligy said.

The sort of online nastiness that can befall a state already has a number of precedents. In August this year, hackers paralyzed Georgian state websites just as Russian tanks pushed across the country’s physical borders. And shortly after Estonian officials talked of removing an old Soviet monument from the capital Tallinn in 2007, state websites were smashed by a wave of “denial of service” attacks.

The physical route of a country’s internet contact is important. Georgia’s websites were particularly vulnerable because much of their connection is wired through Russia. An article published in The New York Times yesterday pointed out that the shift of internet paths to other countries has American intelligence worried over their ability to monitor global flow of information.

A country’s economic and political interests are often intertwined, and it is still businesses, such as banks, that make up the bulk of hackers’ targets.

The interaction between public and private is often complex. In many cases, companies are reluctant to let local competitors catch a glimpse of sensitive information, so they reroute their networks through service providers in other countries, as with Egypt’s internet through Europe. The risks of this became obvious when a submarine snapped cable in the Mediterranean last January, dragging connection speed to a crawl for several days.

While both local and global companies are sprouting up in Egypt to deal with these issues, the state should also do more to make firms abide by standards, El Meligy said. In his opinion, this is not much different from forcing companies to follow fire codes.

“You don’t have a fire every day, but you could face a hacker every day,” he said. “The government should apply security standards.”

Online crime has grown organically with the internet. While many early web lawbreakers acted mostly to see what they could get away with, the image of the lone, basement-dwelling hacker has since morphed into something closer to a mafia don: Complex online groups with multilayered bureaucratic — and non-technical — structures now function essentially like other organized criminals, as with one Russian group busted in 2004 after unleashing a series of “denial of service” attacks.

Now many use tools like botnets, or collections of automatically-run software, to plunder online accounts, alter public records, glimpse sensitive information and then blackmail its users, or disrupt the day-to-day work of businesses and governments.

Some examples of large attacks include “Code Red” in 2001 and the “SQL Slammer” in 2003 — both based on worms, or self-replicating programs used to jam the bandwidths of targets. 

Many companies and state bodies are also becoming worried about insiders. The threat that disaffected employees could ransack company data or that a sensitive spreadsheet could be intercepted from an unsecured wireless network is becoming graver as more people work outside the office, according to many in the industry. 

As the stock exchange expands here, and firms as diverse as automotives and tourism reach outside of Egypt, businesses and the state will continue to march steadily online. The profits are potentially huge, but so are the risks.

There is plenty of ground to cover. At a conference on internet security held by the International Data Corporation last week, one speaker asked how many in the crowd had heard of the SQL Slammer. Only two raised their hands.

El Meligy pointed to local culture. While Egyptians are becoming more aware of the threats posed online, many are used to leaving the doors of the offices and homes open to visitors, and are thus reluctant to shut themselves off, he said. “Everything is open [in Egypt],” he said. “People consider computers in the same way.”

No comments: